Employee Abuse of Internet Rampant

A recent Computer Security Institute/FBI survey reported that 78% of companies polled detected employee misuse of their Internet access privileges. Read about what some IT managers have done, and what you can do to address this problem.

Before cracking down on Internet access abuse at her family's 60-year-old auto dealership, the IT director there found a few employees were spending as much as six out of their eight-hour work day on the Internet -- playing games, gambling, buying stock and even downloading porn.

Today, Vidmar is keeping employees in check and off the online playground by throwing everything in her IT arsenal at the problem: new policies, employee education, monitoring software and increased network vigilance. And Vidmar isn't alone with this problem.

Seventy-eight percent of companies polled in a recent Computer Security Institute/FBI survey reported that they detected employee abuse of their Internet access privileges.

The misuse ranged from playing games in the office to downloading bandwidth-sucking movies or porn, gambling, trading stock, emailing sexually explicit or racist jokes and even sending out critical corporate information.

Taking Back Your Network

Here are some recommendations from corporate users, analysts and security consultants on how to curb worker misuse of the Internet.

"It's a huge problem and unfortunately most companies aren't doing much of anything about it," says Brian Dunphy, director of analysis operations at Alexandria, Va.-based RipTech Inc., a security analyst and consulting firm. "A lot of companies have provided free Internet access and haven't provided guidelines. What is acceptable to one person may not be acceptable to the one paying the bill."

Productivity Compromised

And Vidmar says once she started really looking into employee use of their Internet access in the workplace, it was a virtual "Pandora's box" of problems that she was uncovering.

"Productivity was being compromised...And I was worried about corporate liability. If somebody gets offended by an email, they could go after the company," says Vidmar, who installed Vericept Corp.'s Vericept VIEW for Network Abuse Management, an appliance that tracks and analyzes network traffic. "Sending out an email from here is like sending it out on Vidmar letterhead. I would hate to lose [the business] my grandfather started 60 years ago over a bad Internet joke."

"Somebody accesses their Yahoo or Hotmail account from their desk. They get their email and run an attachment and all of a sudden there's a virus loose in the company," explains Hughes. "They just bypassed all the security and all the money the company put in to securing its networks...Or maybe they're downloading the newest movies. You could have legitimate customers who aren't able to surf your Web site or do queries because this guy is watching movies or even porn."

At American Electric Power Co., the largest generator of electricity in the United States with about 5 million customers in 11 states, department managers set their own policies regarding what employees can and can't do with email, instant messaging and Web surfing.

'Try To Trust Employees'

"Everyone wants to use the Internet and it is a business tool," says Al Moeller, director of business ethics and corporate compliance at Columbus, Ohio-based American Electric Power. "It's like the telephone. We don't tell employees you can't make a personal call or if you do, it's only for a few minutes. It's a good idea to try to trust employees."

Moeller says they make it clear to employees that all Internet access, data and communications belong to the company since they are on the corporate network using corporate-owned equipment and connections. "While I don't want to abuse that, we need to maintain our right as a corporation to look at these things," he adds.

And while they put some trust in their employees, Moeller says his 16- to 20-member security team also keep a close eye on the network. If they spot something suspicious, they investigate. "It's about taking a look now and then," he says. "There's no one who says, 'Let's look at these 35 people today and see what they're doing.' And I don't think we need that."

Some employees, however, have been disciplined for access abuse, Moeller says. And a few have been terminated because of it. "It's a very small number. Word gets around real quick."

Other Computer Crime and Security Survey Results

Discuss Internet Abuse

Click here to jump to a CIN Forum discussion on workplace 'Net abuse. What is your company's worst example? How do you control it?

The Computer Security Institute teamed up with the FBI for their seventh annual Computer Crime and Security Survey. Along with the numbers on employee misuse of corporate Internet access, here are a few of the other findings:

90% of respondents detected computer security breaches within the last 12 months;

80% acknowledge financial losses due to those security breaches;

Respondents noted that the most serious financial losses were caused by theft of proprietary information and financial fraud;

40% detected system penetration from the outside;

34% reported security intrusions to law enforcement -- up from 16% in 1996;

40% detected denial of service attacks, and

85% detected computer viruses.

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.

Enterprise Applications: What Businesses Need to Know
An expert panel discusses current trends in enterprise applications, providing advice for businesses looking to refresh their portfolio of enterprise apps.WATCH NOW »